I’m new to PrivacyIDEA, in fact still trying to figure out if it can be used for my purposes.
My authentication via sqlresolver works fine. I need to provide the authenticating system - via API and PHP lib - additional information about the authenticated user, so (s)he can be assigned proper roles or permissions in the authenticating system.
Therefore, I need to assign roles (or attributes, or whatever) that are not just admin and user roles supported by the PrivacyIDEA UI. Instead, a user could have, for example, system1_admin, system2_admin, system3_user, etc. That information should be made available to the authenticating system to properly restrict what a user can do on those systems.
I’ve played with roles, events and tokens with no success, but this is so new to me that I’m certainly missing something.
welcome to privacyIDEA.
This is an interesting and important question.
The applications have to take care of the authorization. privacyIDEA can only provide information about the user, give this information to the application and have the application decide, what to do.
So after all, you could use any user attribute to do so. To add further user attributes (like admin_level being “system2_admin”), you need to tweek your user resolver.
You could also use custom user attributes (introduced in 3.6)